ubuntu/+source/rsync:ubuntu/xenial-security

Last commit made on 2018-01-23
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/rsync
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/rsync

Recent commits

3b7ec66... by Leonidas S. Barbosa on 2018-01-18

Import patches-unapplied version 3.1.1-3ubuntu1.2 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 7067af89a5ddf713b9b4857f3936e1e68f74c773

New changelog entries:
  * SECURITY UPDATE: receive_xattr function does not check
    for '\0' character allowing denial of service attacks
    - debian/patches/CVE-2017-16548.patch: enforce trailing
      \0 when receiving xattr values in xattrs.c.
    - CVE-2017-16548
  * SECURITY UPDATE: Allows remote attacker to bypass argument
    - debian/patches/CVE-2018-5764.patch: Ignore --protect-args
      when already sent by client in options.c.
    - CVE-2018-5764

7067af8... by Leonidas S. Barbosa on 2017-12-06

Import patches-unapplied version 3.1.1-3ubuntu1.1 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5bfd701280571db36b7a211350b009e1be0c64a4

New changelog entries:
  * SECURITY UPDATE: bypass intended access restrictions
    - debian/patches/CVE-2017-17433.patch: check fname in
      recv_files sooner in receiver.c.
    - CVE-2017-17433
  * SECURITY UPDATE: not check for fnamecmp filenames and
    does not apply sanitize_paths
    - debian/patches/CVE-2017-17434-part1.patch: check daemon
      filter against fnamecmp in receiver.c.
    - debian/patches/CVE-2017-17434-part2.patch: sanitize xname
      in rsync.c.
    - CVE-2017-17434

5bfd701... by Marc Deslauriers on 2016-01-19

Import patches-unapplied version 3.1.1-3ubuntu1 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 63041cec32b0861cd347c799051489fb6d882fdb

New changelog entries:
  * SECURITY UPDATE: incomplete fix for rsync path spoofing attack
    - debian/patches/CVE-2014-9512-2.diff: add parent-dir validation for
      --no-inc-recurse too in flist.c, generator.c.
    - CVE-2014-9512

63041ce... by Paul Slootman <email address hidden> on 2015-03-07

Import patches-unapplied version 3.1.1-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 078dc6758a9d5984c03d5ba04473ea993632d050

New changelog entries:
  * Added patch for CVE-2014-9512, Rsync path spoofing attack vulnerability.
    closes:#778333

078dc67... by Paul Slootman <email address hidden> on 2014-08-09

Import patches-unapplied version 3.1.1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d79fe3e50cd8fe8260a666d74ac80140639f3a36

New changelog entries:
  * hardening flags were not applied correctly, debian/rules modified thanks
    to patch from Simon Ruderich.
    closes:#754412

d79fe3e... by Paul Slootman <email address hidden> on 2014-07-10

Import patches-unapplied version 3.1.1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 495ef4db46180fa3ad822e23b0f97a1c7a8d3f0c

New changelog entries:
  * new upstream release
    Includes config.* update, closes:#714782
    Includes preallocate patch, closes:#649914
  * Bumped Standards-Version to 3.9.5.0 (no change necessary).
  * revert to using included zlib as there have been numerous reports of failed
    transfers when using -z with the separate zlib.
  * use the now included systemd file instead of our own copy.
  * use hardening=+all flags, thanks to hint from <email address hidden>
  * add noatime patch which adds the --noatime option, which adds the O_NOATIME
    flag when opening files, to no update the access time on kernels that
    support that (linux 2.6.8 and later).
    closes:#738708,#244168
  * changed backtick usage in rules for CFLAGS and LDFLAGS to $(shell ...)
    closes:#699165
  * added autofs to Should-Start: in init.d script.
    closes:#730149
  * added README.Debian file to explain how to get the daemon running.
    closes:#589529
  * simplify init.d nice parameter checking.
    closes:#647145

495ef4d... by Paul Slootman <email address hidden> on 2014-04-16

Import patches-unapplied version 3.1.0-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ee2e75497ccc11bb9c455fd6fa62193ee4fc399a

New changelog entries:
  * fix for CVE-2014-2855 - rsync denial of service
    a remote client can send an invalid username and cause an infinite CPU
    loop on the server child process.
    closes:#744791
  * added upstream signature for uscan usage
  * changed package source format to 3.0 (quilt)

ee2e754... by Paul Slootman <email address hidden> on 2013-10-27

Import patches-unapplied version 3.1.0-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 033ca2a7c844c3977e1a31d5c1c68016194c8a91

New changelog entries:
  * fix build failure if zlib1g-dev package is not installed;
    solved by building without the included zlib source and adding a
    build-depends on zlib1g-dev >= 1:1.2.8
    closes:32379

033ca2a... by Paul Slootman <email address hidden> on 2013-09-30

Import patches-unapplied version 3.1.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b5a79007d1a96c38cf67cc8bdaab63e46bccab56

New changelog entries:
  * new upstream release.
  * Bumped Standards-Version to 3.9.4.0 (no change necessary).
  * Patches cast--1-size_t.diff, delete-delay.diff, manpages.GPL.diff,
    partial-timestamp.diff, progress-cursor-pos.diff, rsyncd.conf.5.comment.diff
    no longer needed (integrated into upstream source).

b5a7900... by Paul Slootman <email address hidden> on 2012-12-02

Import patches-unapplied version 3.0.9-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 3d8ea40fb4a8e0d020b98af8dc2f64b29abc9e44

New changelog entries:
  * mark rsync package as Multi-Arch: foreign.
    closes:#688940
  * fixed cross-builds, thanks to patches from Colin Watson.
    closes:#693991
  * Fixed some lintian messages:
    - call strip with --remove-section=.comment --remove-section=.note
    - added watch file
    - change conflicts with duplicity << 0.6.11 to breaks
      See changelog for 3.0.9-1 for more detail
    - properly state "GNU General Public License" in the manpages
  * Added some overrides for lintian:
    - init.d-script-does-not-provide-itself
      (historically the daemon is referred to as rsyncd)
    - spelling-error-in-binary usr/bin/rsync dont don't
      "dont compress" is a config option. Adding an apostrophe would
      make things quite complicated!